Tài liệu Computer network internet security phần 9

  • Số trang: 32 |
  • Loại file: PDF |
  • Lượt xem: 66 |
  • Lượt tải: 0

Đã đăng 28948 tài liệu

Mô tả:

The ~/.rhosts file can be used to allow remote access to a system and is sometimes used by intruders to create easy backdoors into a system. If this file has recently been modified, examine it for evidence of tampering. Initially and periodically verify that the remote host and user names in the files are consistent with local user access requirements. View with extreme caution a “+” entry; this allows users from any host to access the local system. An older vulnerability is systems set up with a single “+” in the /etc/hosts.equiv file. This allows any other system to log in to your system. The “+” should be replaced with specific system names. Note, however, that an intruder cannot gain root access through /etc/rhosts entries. ~/ftp Files Directories which can be written to by anonymous FTP users are commonly used for storing and exchanging intruder files. Do not allow the user “ftp” to own any directories or files. System Executables in User Directories Copies of what may appear to be system executables in user directories may actually be an attempt to conceal malicious software. For example, recent attacks have made use of binaries called “vi” and “sed”, two commonly used Unix utilities. However, these particular binaries were actually renamed intrusion software files, designed to scan systems for weaknesses. System binaries found in unusual locations may be compared to the actual executable using the “cmp” command: Determining if System Executables Have Been Trojaned SPI or Tripwire must be set up before an exposure in order to determine if your system executables have been Trojaned. Use your CD-ROM to make sure you have a good copy of all your system executables, then run the above mentioned products according to the instructions that accompany them to create a basis for later comparison. Periodically, run SPI or Tripwire to detect any modification of the system executables. /etc/inetd.conf Print a baseline listing of this file for comparison. Look for new services. /etc/aliases Look for unusual aliases and those that redirect E-mail to unlikely places. Look for suspicious commands. cron Look for new entries in cron tab, especially root’s. Look at each user’s table. /etc/rc* Look for additions to install or reinstall backdoors or sniffer programs. Use SPI or Tripwire to detect changes to files. NFS Exports Use the “showmount -a” command to find users that have file systems mounted. 248 Check the /etc/exports (or equivalent) file for modifications. Run SPI or Tripwire to detect changes. Changes to Critical Binaries Run SPI or Tripwire initially and then periodically. Use the “ls -lc” command to determine if there have been inappropriate changes to these files. Note that the change time displayed by the “ls -lc” command can be changed and the command itself can be Trojaned. 249 Section References: Pichnarczyk, Karen, Weeber, Steve & Feingold, Richard. “Unix Incident Guide: How to Detect an Intrusion CIAC-2305 R.1”. C I A C Department of Energy. December, 1994. 250 Appendix A : How Most Firewalls are Configured All firewalls from any vendor that will be providing Internet firewall facilities require a routed connection to the Internet to provide traffic flow between the Internet and inhouse network facilities. There are usually more than one router involved in such connections. With some effort, connections are successful but usually difficult to monitor and manage. A typical set-up with an Internet Service Provider where a firewall is configured in the network is set-up as follows: A Internet CSU/DSU B C IP Router D Ethernet/802.3 E Firewall System F Ethernet/802.3 G Trusted Network Hub In the above diagram, the network and firewall connection parts are as follows: a) Internet connection provided by an Internet Service Provider (ISP) b) A CSU/DSU interface to the telephone drop from the local equipment company (LEC) 251 c) A router system to connect to the ISP’s router connection to the Internet d) An Ethernet/802.3 or Token Ring/802.5 UTP connection from the router to the firewall e) A “dual-homed gateway” firewall system with two LAN controllers (in this diagram, two Ethernet/802.3 connections are provided) f) An Ethernet/802.3 UTP connection from the firewall to the internal network g) An internal network configuration. In this case, a simple stacked hub architecture (e.g. Cabletron Mini-MAC) The above is an illustration of a typical, but simple, network configuration between a customer network and the Internet where information provision (e.g. a Web Site) will not be used. Using a Router as a “Screen” One of the more popular configurations of a “firewall” is to use an external router as the singular security facility between an untrusted network (e.g. Internet) and the internal, trusted network. This configuration is called a “screening router” set-up. A typical configuration is as follows: A Internet CSU/DSU B C IP Router Ethernet/802.3 D E Trusted Network Hub The network configuration for a “screening router” is as follows: a) Internet connection provided by an Internet Service Provider (ISP) b) A CSU/DSU interface to the telephone drop from the local equipment company (LEC) c) A router system to connect to the ISP’s router connection to the Internet. On this router, there are a variety of “filter” rules, which provide some level of security between the trusted internal network and the untrusted Internet connection. d) An Ethernet/802.3 or Token Ring/802.5 UTP connection from the router to the internal network 252 e) An internal network configuration. In this case, a simple stacked hub architecture (e.g. Cabletron Mini-MAC) While the router is a required part of the network connection, there are some definitive problems with using screening routers as the only network security interface to an untrusted network, including: • • • • • • • • • • Configuration of filters and security facilities in the router may be difficult to accomplish and knowledge about the intricacies of routing is required to do it correctly There usually is little or no auditing or logging of traffic and security information as most routers are diskless in nature and have no easy way to get information to secondary (disk) storage. Further, routers are built to route and not necessarily to handle logging of network traffic. It can be quite difficult for the network and security managers to get information out of the router on the paths and security rule base that was implemented Adding authentication is difficult, time consuming and expensive even if the router vendor supports such functions Sessions from other parts of the network may be “tunneled” on top of each other and, therefore, non-filterable by the router itself There is usually a user demand to open up features in a router that are not screenable by the router and therefore put the network (trusted side) at risk Any bug in the router’s operating environment may not be detected and can compromise the network’s security (there are numerous CERT and CIAC alerts about router bugs and security issues over the years) Routers can be “spoofed” with some types of IP header options that would cause the router to believe that an external packet “looks” like an internal packet to the router tables Over time, multiple connections on the router usually do not get the same security screening rules. This means that one path through the router may not have the same security facilities as another and this may allow alternate paths to compromise the security of the router. Routers are configured to route. Enabling any filtering facility in a router will degrade the router’s performance. As more filters are added, the router’s performance may degrade to a totally unacceptable performance level for traffic. As a result, many sites opt to remove necessary filtering for security to gain performance and end up compromising trusted network security and integrity. Using a router on a network connection is a normal, essential function. Relying on the router as the only screen for security facilities is dangerous. 253 Appendix B: Basic Cost Factors of Firewall Ownership The following 20 base factors comprise the basic costing issues in the ownership of firewall products: 1. Firewall requirements analysis prior to vendor selection. This phase involves the technology assessment issues a company must go through to determine the threat to the corporate information structures, the risk of loss that would be associated with a connection that is unprotected, the risk of loss that could happen if the connection is breached, the known corporate information resources that must be protected and their relative priorities of protection categories, corporate security policies and procedures as related to any external network connection, corporate audit measurement and adherence requirements, technical details on what facilities are on-line and are threatened, etc... 2. Corporate decisions on exactly what security policies need to be in-place in any firewall to satisfy the corporate security requirements as defined in the initial needs analysis. This step is crucial to properly identifying to the firewall vendor WHAT the firewall will be programmed to protect. The vendors will need this list to identify if their product can provide the levels of protection required by the corporate need. 3. Vendor product evaluation to determine a list of finalist vendors. Typically, a corporate committee will be appointed to evaluate vendor offerings vis-a-vis the corporate firewall requirements list. In this stage of costing, the meeting with vendors and selection of, typically, no more than five finalists for the firewall product set is completed. 4. Evaluation of finalist vendors. This costing factor involves the testing and technical evaluation of the firewall vendor finalists to ensure that the selected vendor products can really provide the required corporate security services in the firewall product, that the product meets quality and management standards as defined in the requirement definition phase, that the firewall product(s) function as advertised by discussing the product with existing customers, that the firewall product performs technically as expected and provides required throughput to solve the firewall connectivity requirements and that the vendors meet corporate requirements of technical support, maintenance and other requirements that may have been defined. 5. Selection of a vendor’s product. This phase involves the selection of a vendor and the political jostling that always takes place just prior to a decision in a corporate culture. 6. Acquisition of hardware/software and basic set-up effort. In this costing phase, the basic hardware, system software, firewall software and layered/additional products are acquired, configured and set-up so that security policies may be later added. Items would also include basic system management (backup/restore, system tuning, system and network management tool set-up, system/network management account set-up, etc.), network hardware interconnection and set-up (router installation, service acquisition from the Internet feed provider, cabinet and cable installation, power hook-up, basic hardware configuration and activation, etc.), etc... 7. Training on the creation/definition/management of security policies for the selected firewall. If the company intends to properly manage and maintain the firewall product set, training must be supplied to the technical staff which will be installing and maintaining the firewall facilities. If the staff is not familiar with technical aspects of firewall technologies, then additional training on firewall concepts, network security concepts, advanced network security technologies and security management must be undertaken. Failure to provide adequate 254 8. 9. 10. 11. 12. 13. 14. training on the firewall product will result in a much higher manpower costing factor for in-house personnel as well as a higher consultation costing factor due to the recurring need to secure outside help to make modifications to the firewall facilities to satisfy corporate needs as time goes on. Definition and installation of security policies for the firewall. Using the requirements definitions, security filters are created that mirror the security requirements for use of the network connection that is provided via the firewall facilities. How long this phase takes depends heavily on the training provided to in-house personnel or the expertise in the system and firewall product set for the consultant(s) hired to implement the security policy filter baseline. There can be a very wide variance in manpower requirement from product to product. Testing of the firewall with the security policies installed. This phase of costing is critical to reduce corporate risk factors and to ensure that the firewall is functioning properly. Typically, the filters are fully tested by in-house or consulting personnel and then a third party is contracted to provide a penetration study to verify integrity of the firewall and proper implementation of security policies implemented as filters in the firewall product set. How much testing is required is a function of corporate risk factors, estimated usage metrics, importance of reliability and many other issues. Release of the firewall connection to the user population. For a period of time, there is a requirement to provide modifications and changes to satisfy a shake-down period of user access. This is usually a higher manpower requirement than the day-to-day management function that eventually settles into corporate use. Day-to-day technical management effort. This costing factor involves the typical day-to-day functions required to keep the firewall functioning properly (checking of logs, events, backup/restore, disk maintenance, etc.) as well as the modifications and additions to the security policy rule base to accommodate new users, changes of service to existing users, moves of users, readdressing issues of systems on the network, added service facilities, etc. There may also be report-writing requirements to the company to show management and maintenance of the firewall as well as disposition of serious events and problems that need to be addressed as the product is used. Periodic major maintenance and upgrades. As time goes on, there will be required down-time network activities that are required to satisfy hardware and software operational needs. The hardware will need to be periodically updated with additional disk space or memory, faster processing may be required via a new processing system, additional network controllers or faster network controllers may be added to the configuration and so on. Software-wise, the operating system may require upgrades to patch or fix problems, bug fixes and updates to the firewall software will be required, new security threats may be identified by vendors and updates to the security filters are required, etc. Further major maintenance may be required in the form of major system upgrades to support higher-speed Internet connectivity or to support multiple network feeds from Internet, customers, sister companies, etc. Remedial training for technical personnel. As the systems and software are upgraded over time, the firewall software and operating environment will undergo extensive transformations to take into account new security facilities as well as new user facilities. This will require remedial training and updates to technical personnel to allow them to properly take advantage of the new facilities as well as to properly identify potential security risks and isolate them before they become problems for the company. Remedial training may also include attendance at national and international security conferences and outside training events for firewall and security efforts. Investigation of infiltration attempts. As the firewall product set is used and connected to a publicly available network, chances are extremely likely that 255 15. 16. 17. 18. 19. 20. unauthorized connections will be attempted by hackers and other disreputable individuals on the network. When these infiltration attempts occur, someone within the company will be required to investigate the whys and hows of the penetration attempt, report on the attempt and help management make decisions on what to do to defeat such infiltrations in the future as well as modify existing policies, filtering rules and other firewall functions to ensure security integrity in the firewall set-up. This effort, depending upon the visibility of the company, can be time consuming and expensive. It is labor intensive as tools on firewalls are only one component of the investigator’s repertoir of facilities required to accomplish their mission. Corporate audits. Needless to say, corporate EDP audit functionaries will require someone who understands the firewall set-up to work with them to ensure that corporate security requirements are properly implemented in the firewall facilities. For those companies without proper corporate audit expertise, an outside consultancy may be hired to evaluate the firewall set-up and operations from time to time to ensure integrity and reliability. In either case, someone familiar with the technical operations of the firewall set-up must be made available to the audit functionary and this takes time. Application additions to the network firewall connection. As the network connection via the firewall increases in popularity and criticality to corporate business, the need to add application facilities and access to remote network facilities will increase. This leads to multiple meetings between firewall management team personnel and users/application implementers who wish to add applications over the firewall facilities. This will eventually result in new security policy filters, additional firewall packet loading and other performance and labor-related functions which affect overall cost of ownership. It may also require hardware and software upgrades faster than expected due to packet or application loading increases. Major outage troubleshooting. From time-to-time, all technological components break and a firewall is no exception. When such outages occur, someone has to spend time defining the problem(s), finding solutions, implementing solutions and restoring the status quo ante. How much time this will take varies, but it usually is significant and intense as the firewall becomes a locus of activity during an outage of any kind. Miscellaneous firewall and network security meeting time (technical and political). This factor is a catch-all for time spent explaining the firewall facilities to interested corporate groups or management as well as functioning as a “gobetween” for information on facilities available to users. This factor can be extremely time consuming and does not generate any measurable progression as a general rule. It is manpower time required to keep things running smoothly and is, therefore, a cost factor. New firewall and network security technology assessment (ongoing). As the firewall lifetime progresses, the need to evaluate new threats and new technologies that defeat new threats is important. Further, additional vendor features for a particular firewall product may need to be evaluated for inclusion into the existing facilities. For instance, if a new standard for remote authentication via firewalls is added to most products, this facility will need to be evaluated for use with the existing facilities. This takes time and technical effort. Application changes and network re-engineering. All applications and network components change with time on any network. Prudent engineering requires that firewall facilities be re-evaluated for any changes in application setup or network hardware changes that could affect the integrity of the firewall facility. Again, a time-consuming effort is involved. As can be seen, properly (and improperly) defined and installed firewalls consume a great deal of time and resources. This makes them fairly expensive resources as 256 well as a strategic corporate resource - not a tactical one. The cost of a firewall is not the firewall itself - it is all the ancilliary functions and time involved. The more the extra costs are eliminated, the better the costing solution for the customer. 257 Appendix C: Glossary of firewall related terms 1. Abuse of Privilege: When a user performs an action that they should not have, according to organizational policy or law. 2. Application-Level Firewall: A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. 3. Authentication: The process of determining the identity of a user that is attempting to access a system. 4. Authentication Token: A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords. 5. Authorization: The process of determining what types of activities are permitted. Usually, authorization is in the context of authentication: once you have authenticated a user, they may be authorized different types of access or activity. 6. Bastion Host: A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., UNIX, VMS, WNT, etc.) rather than a ROM-based or firmware operating system. 7. Challenge/Response: An authentication technique whereby a server sends an unpredictable challenge to the user, who computes a response using some form of authentication token. 8. Chroot: A technique under UNIX whereby a process is permanently restricted to an isolated subset of the filesystem. 9. Cryptographic Checksum: A one-way function applied to a file to produce a unique "fingerprint" of the file for later reference. Checksum systems are a primary means of detecting filesystem tampering on UNIX. 10. Data Driven Attack: A form of attack in which the attack is encoded in innocuous-seeming data which is executed by a user or other software to implement an attack. In the case of firewalls, a data driven attack is a concern since it may get through the firewall in data form and launch an attack against a system behind the firewall. 11. Defense in Depth: The security approach whereby each system on the network is secured to the greatest possible degree. May be used in conjunction with firewalls. 12. DNS spoofing: Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain. 13. Dual Homed Gateway: A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks. 14. Encrypting Router: see Tunneling Router and Virtual Network Perimeter. 15. Firewall: A system or combination of systems that enforces a boundary between two or more networks. 16. Host-based Security: The technique of securing an individual system from attack. Host based security is operating system and version dependent. 17. Insider Attack: An attack originating from inside a protected network. 258 18. Intrusion Detection: Detection of break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network. 19. IP Spoofing: An attack whereby a system attempts to illicitly impersonate another system by using its IP network address. 20. IP Splicing / Hijacking: An attack whereby an active, established, session is intercepted and co-opted by the attacker. IP Splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP Splicing rely on encryption at the session or network layer. 21. Least Privilege: Designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorization level at which various actions are performed and decreases the chance that a process or user with high privileges may be caused to perform unauthorized activity resulting in a security breach. 22. Logging: The process of storing information about events that occurred on the firewall or network. 23. Log Retention: How long audit logs are retained and maintained. 24. Log Processing: How audit logs are processed, searched for key events, or summarized. 25. Network-Level Firewall: A firewall in which traffic is examined at the network protocol packet level. 26. Perimeter-based Security: The technique of securing a network by controlling access to all entry and exit points of the network. 27. Policy: Organization-level rules governing acceptable use of computing resources, security practices, and operational procedures. 28. Proxy: A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. 29. Screened Host: A host on a network behind a screening router. The degree to which a screened host may be accessed depends on the screening rules in the router. 30. Screened Subnet: A subnet behind a screening router. The degree to which the subnet may be accessed depends on the screening rules in the router. 31. Screening Router: A router configured to permit or deny traffic based on a set of permission rules installed by the administrator. 32. Session Stealing: See IP Splicing. 33. Trojan Horse: A software entity that appears to do something normal but which, in fact, contains a trapdoor or attack program. 34. Tunneling Router: A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption. 35. Social Engineering: An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems. 36. Virtual Network Perimeter: A network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks. 37. Virus: A self-replicating code segment. Viruses may or may not contain attack programs or trapdoors. 259 Appendix D: Top 10 Security Threats 1. Firewall and System Probing Hackers are using sophisticated, automated tools to scan for vulnerabilities of a company's corporate firewall and systems behind the firewall. These hacker tools have proved to be quite effective, with the average computer scan taking less than three minutes to identify and compromise security. Companies can prevent this by ensuring that their systems sit behind a network firewall and any services available through this firewall are carefully monitored for potential security exposures. 2. Network File Systems (NFS) Application Attacks Hackers attempt to exploit well-known vulnerabilities in the Network File System application, which is used to share files between systems. These attacks, usually through network firewalls, can result in compromised administrator access. To combat this, ensure systems do not allow NFS through the firewall, and enable NFS protections to restrict who can access files. 3. Electronic Mail Attacks Hackers can compromise network systems by simply sending an e-mail to it. Companies who accept e-mail from the Internet and who have exposed versions of the sendmail program are potential targets from this attack. Last year more than 20,000 systems were compromised due to this exposure. To prevent this from occurring, check with vendors to ensure systems are running a correct version of sendmail or some more secure mail product. 4. Vendor Default Password Attacks Systems of all types come with vendor-installed usernames and passwords. Hackers are well educated on these default usernames and passwords and use these accounts to gain unauthorized administrative access to systems. Protect systems by ensuring that all vendor passwords have been changed. 5. Spoofing, Sniffing, Fragmentation and Splicing Attacks Recently computer hackers have been using sophisticated techniques and tools at their disposal to identify and expose vulnerabilities on Internet networks. These tools and techniques can be used to capture names and passwords, as well as compromise-trusted systems through the firewall. To protect systems from this type of attack, check with computer and firewall vendors to identify possible security precautions. 6. Social Engineering Attacks 260 Hackers will attempt to gain sensitive or confidential information from companies by placing calls to employees and pretending to be another employee. These types of attacks can be effective in gaining usernames and passwords as well as other sensitive information. Train employees to use a "call-back" procedure to verify the distribution of any sensitive information over the telephone. 7. Easy-To-Guess Password Compromise Most passwords that are easy to remember are also easy to guess. These include words in the dictionary, common names, slang words, song titles, etc. Computer hackers will attempt to gain access to systems using these easy-to-guess passwords usually via automated attacks. Protect systems by ensuring that passwords are not easy to guess, that they are at least eight characters long, contain special characters and utilize both uppercase and lowercase characters. 8. Destructive Computer Viruses Computer viruses can infect systems on a widespread basis in a very short period. These viruses can be responsible for erasing system data. Protect systems from computer viruses by using anti-virus software to detect and remove computer viruses. 9. Prefix Scanning Computer hackers will be scanning company telephone numbers looking for modem lines, which they can use to gain access to internal systems. These modem lines bypass network firewalls and usually bypass most security policies. These "backdoors" can easily be used to compromise internal systems. Protect against this intrusion by ensuring modems are protected from brute force attacks. Place these modems behind firewalls; make use of one-time passwords; or have these modems disabled. 10. Trojan Horses Hackers will install "backdoor" or "Trojan Horse" programs on businesses computer systems, allowing for unrestricted access into internal systems, which will bypass security monitoring and auditing policies. Conduct regular security analysis audits to identify potential security vulnerabilities and to identify security exposures. 261 Appendix E: Types of Attacks ATTACK NAME SYMPTOMS DESCRIPTION NOTES Boink (similar to Bonk, Teardrop and New Tear/Tear2), a hack System seizure Bad fragment attack Sends bad packet fragments that cannot be correctly reassembled, causing the system to fail DoS (Denial of Service) Lack of access to resources and services Denial of Service attacks tie up system resources doing things you do not want so you cannot get service Examples include floods (which soak up bandwidth and CPU) and disconnects (which prevent you from reaching hosts or networks) Floods (Nukes), a DoS attack n/a Large amounts of ICMP (usually) or UDP useless packets Ties up system by making it respond to floods of useless garbage ICMP flooding (flood ping), a DoS attack Loss of bandwidth (slow responses from the Internet) and poor response time on the desktop A flood of ICMP (ping) requests that tie your system in knots responding to garbage traffic. This is analogous to wasting your time answering the door to never-ending doorbells that do nothing. Ties up CPU time and wastes your bandwidth with the garbage traffic. For example, "Pingexploit" typically attacks Unix systems with oversized ICMP packet fragments. Identification flooding (Identd), a DoS attack Loss of bandwidth (slow responses from the Internet) and poor response time on the desktop Similar to an ICMP flood, but requests information from your system (TCP port 113) Very often slows the CPU down (even more than an ICMP flood) since identification responses take more time than ICMP responses to generate Jolt (SSping, IceNuke), a hack System seizure Oversized, fragmented packet which causes the system to seize up System stops working and must be rebooted Land, a hack System seizure forcing cold reboot Spoofing attempt which establishes TCP/IP connection to you from you. This SYN request forces the system to connect to itself, thereby locking itself up. The attacked system attempts to connect to itself and seizes up 262 Hack N/A An application or a packet that exploits a weakness in operating system, application or protocol Varied results. Examples include smurf, teardrop, land, newtear, puke, ssping, jolt, etc. Pong, a hack Loss of bandwidth (slow responses from the Internet) and poor response time on the desktop Flood of spoofed ICMP packets, usually changing the spoofed source address with every packet Reboot to solve Puke, a hack Disconnection from a server (usually IRC) Spoofs an ICMP unreachable error to a target. This forces a disconnect from a server. Usually preceded by an ICMP port scan where "pings" are sent to a system to find a vulnerable port being used to connect to a server Scan, a generic technique and a DoS attack System slows A progressive, systematic testing of ports for an "opening." This attack can chew into system resources since its target is usually changing. It often requires a proper firewall or large, multi-port block to prevent. Usually used prior to a hack to find a vulnerable attack spot. This is considered a brutish form of attack and is not as effective as other floods for tying up resources. It usually precedes a more "elegant" attack form. Smurf, a hack A very effective CPU crushing flood-like attack. Apparent system seizure. Spoofs ICMP packets requesting a response and triggering multiple responses A form of flood that is very dangerous since it can get a "many-for-one" effect, tying up lots of CPU cycles for relatively few packets sent Spoofing (IPspoof) N/A An attack masking style that makes traffic appear to come from a legitimate target or that attempts to frame innocent bystanders for attacks for which they are not responsible Particularly nasty attack because hacks, floods and nukes are illegal in most countries and subject to prosecution 263 unreachable (dest_unreach)- a DoS attack "Destination Unreachable" messages and disconnection from a server There are 2 forms of this—client unreachable and server unreachable. The server unreachable attack sends an ICMP message to the system fooling it into thinking its traffic can no longer reach the server, so it gives up. The client unreachable form does the same thing to the server with respect to your system. WinNuke, a hack and a DoS attack, but not a flood Loss of networking resources Sends OOB (Out-ofBand) data to port 139 and exploits Win 3.11, Win95, Win NT 3.51 and Win NT 4.0 systems 264 Does not crash the system, but it causes a fatal exception requiring a reboot to regain TCP/IP (Internet) connectivity AppendixF:Top10SecurityPrecautions 1. Firewall Sensitive Systems Ensure corporate systems are protected from Internet attacks. Deploy a firewall between these systems and the Internet to guard against network scans and intrusions. 2. Obtain Security Alert Information Subscribe to security alert mailing lists to identify potential security exposures before they become problems. CERT (Computer Emergency Response Team at Carnegie Mellon University) is a good place to start. The URL for CERT's Web site is cert-advisory-request@cert.org. The e-mail address is cert@cert.org. 3. Review System Audit Trails Regularly Regularly check logging data and audit trails to look for unusual or suspicious activity. 4. Backup Data Don't be a victim of accidental or malicious data erasure. Backup all sensitive data on a regular basis. 5. Purchase and Deploy Anti-Virus Software Computer viruses can spread throughout a system in minutes. Check systems for viruses on a regular basis. 6. Change Passwords On A Regular Rotational Basis Don't pick easy to remember passwords and change them often. Consider the use of one-time password tokens to avoid password compromise threats. 7. Deploy Vendor Security Patches Consult with vendors and obtain any system security patches that can be used to add additional layers of protection. 8. Establish and Enforce A Security Policy Develop and enforce a company-wide computer and physical security policy. 9. Employee Awareness Ensure all employees and management are briefed regularly on security threats, policies, corrective measures and incident reporting procedures. 10. Make Use Of Public Domain Security Tools A variety of public domain security tools exist on the Internet, many of which can be used to assist in the protection of computer systems. 265 AppendixG:VirusGlossary Back Door: An entry to a program, or system created by its designer to allow special access; often without proper security checks. A classic back door was used by a teen-age hacker in the movie "War Games". Bacterium: A program which spreads to other users or systems by copying itself as a by product of execution. It doesn't infect other programs, but acts independently. Bogus Programs: Programs which do not do what they have been advertised to do. A example is XTRATANK, which claims to double your hard drive space. It merely diddles the file allocation to double the reported size of the disk. Boot Sector Virus: A virus secreted in the boot sector or replacing the boot sector on a floppy disk. Also a virus on the master boot block of a hard disk, or in the partition table of a hard disk. N.B. even non-systems floppy disks still have a boot sector; they just lack the boot program on that block ! Examples are Stoned and Michelangelo viruses. Bug: An error in the design or implementation of a program, that causes the program to do something unintended. Remember even viruses have bugs. The original "bug" was a moth stuck in a relay of ENIAC. Checksum: a number that uniquely defines a file, block or other bit of computer code. A checksum is calculated by applying an algorithm to each byte of the code and rotating it, logically ANDing or ORing it to some standard, or otherwise encoding it. The result is a single number which is a numeric finger-print. See cyclic redundancy check (CRC). Cracks: Programs with the anti-copying protection removed, disabled or by-passed. Both hard-ware and software anti-pirating techniques can be broken with the appropriate knowledge and software. Cyclic Redundancy Check (CRC) - A unique numeric finger-print of a file, block or other bit of computer code. This is usually calculated using a look-up table. It is common in error checking protocols. See checksum. Device Bomb: A program which executes based on the presence of a particular device, such as a com port, hard-drive D:, etc., usually with malicious actions. Droppers: Programs which have a legitimate use, but contain viruses which are secretly planted in system. Droppers may actually be commercial software hacked to drop viruses. FAT: File Allocation Tables. These areas of the formatted floppy or hard disk contain information used by the system to locate and maintain the file structure. File Viruses: These viruses infect files with *.COM or *.EXE extensions. Friday the 13th is an example. Also included in this category are viruses which use the "corresponding files" technique. These viruses search for directories with files with .EXE extensions and then creates a file of the same name with a .COM extension. Since DOS executes files with the *.COM extension before those with the .EXE extension, the virus is executed and then passes control to the .EXE file. 266 Hacks: Software which has been illegally modified by a system expert. See cracks, pirates, droppers, etc.. This may be as simple as modifying parts of the code with a debugger; to patching the system to snatch interrupts. Hoaxes: Programs which claim to do the impossible; and don't. An example is a file 2496 which claims to provide instructions on running a 2400 bps modem at 9600 or even 14400 bps. If you follow the instructions, you get a modem which runs at 0 bps. Immunization: An anti-virus strategy to prevent virus infection. This may involve putting a virus signature into software to be immunized in hopes of fooling a virus into believing the code is already infected. It may also involve creating checksums for each file which can be compared during later anti-virus examinations to guard against virus infection. Interrupt: A hardware or software signal which indicates to the OS some event such as a keystroke has happened. It is typically taken care of by an interrupt handler which services the event. Jokes: Programs which do something intended to be amusing, without causing serious harm, or replicating. BUGS, which cause little bugs to run across the screen when executed is an example. Logic bomb: A program which executes on the occurrence, or lack of occurrence of a set of system conditions. Classic examples are programs which cease functioning if the programmer's name is removed from the company's payroll list. Multi-partite Viruses: These viruses infect both boot sectors and files. Tequila is an example. Pirates: Any illegally obtained software. Also software which has had the copy-right notices, or other identification altered or removed. Polymorphic Viruses: These viruses change their characteristics as they replicate. Many of these utilize the Bulgarian Dark Avenger's mutating engine. The Whale virus is an example. Rabbit: A program designed to exhaust a system resource (e.g. CPU time, disk space, terminal I/O, etc.) by replicating itself without limit. It differs from a bacterium in that it is specifically targeted at a system resource; and from a virus in that it is a self contained program. Rogue Program: A program that is no longer under the control of its owner, the system or its executing terminal; a.k.a. zombie. A virus is the ultimate rogue program! Stealth Viruses: These viruses conceal the results of infection; keeping file length unchanged for example, or modifying the file in such a way that the checksum is not changed. They may simply alter the system so that the file length is reported unchanged although it is actually increased. Hundred years is an example. Systemic Viruses: These viruses infect parts of the system other than the boot block. The file allocation table (FAT), device tables, directories, device drivers and COMMAND.COM are typical targets. Number of the Beast is an example. 267
- Xem thêm -